tork icon indicating copy to clipboard operation
tork copied to clipboard
verified publisher icon runabol

quality of life: when duplicate a job, don't redact environment variables in task if it inherit from input

Open v36372 opened this issue 1 year ago • 3 comments

Hi, when I duplicate a job, the task environment variables that are matched with secret pattern will be replaced its value with "[REDACTED]", even if it only inherit the value from inputs

For example:

name: Example
inputs:
  SECRET: 12345
tasks:
  - name: Example
    run: |
      echo "hello world"
    image: python:3-slim
    env:
      SECRET: "{{ inputs.SECRET }}"

When duplicating this job, it's definition become

name: Example
inputs:
  SECRET: "[REDACTED]"
tasks:
  - name: Example
    run: |
      echo "hello world"
    image: python:3-slim
    env:
      SECRET: "[REDACTED]"

The second redaction is unnecessary.

v36372 avatar Feb 20 '24 10:02 v36372

This is due to your environment variable named SECRET. A quick fix would be to rename it to something else. That being said, I do plan on adding a top level job secrets construct to house all secrets, so I never have to redact anything within the job but only that section.

runabol avatar Feb 21 '24 11:02 runabol

My intention is to redact everything. I have the secret pattern config like this:

[middleware.job.redact]
enabled = true
patterns = ["*"]

But that is not relevant to the point I'm making. I'm just proposing that maybe don't redact the variables whose value is inherited from inputs, because it's not the actual content anyway.

v36372 avatar Feb 26 '24 04:02 v36372

Parsing the value has too many edge cases. Example:

{{inputs.not_a_secret}}/actual_secret

So if I don't redact this it will have the secret in the clear.

That's why I'm thinking of adding a new secrets construct that will be more explicit.

runabol avatar Feb 26 '24 13:02 runabol

The new secret feature suffice my needs. Thank you.

v36372 avatar Jul 03 '24 09:07 v36372